dswp.de http://www.dswp.de/old/ |
|
Another Banning mechanism http://www.dswp.de/old/forum-gameserver-support/another-banning-mechanism-t4490.html |
Page 1 of 3 |
Author: | wurst [ 11.30.11 ] |
Post subject: | Another Banning mechanism |
Oki here we are, one Weekend some weeks ago: NIC down, restart adapter could bring it back up. Everything normal exept... Hm... Wait! Traffic! Attachment: A closer look on the traffic and Adresses brought strange facts: 1.) The recieved packet has 14 bytes. Content is "getstatus". No way to filter this with snort, every game client does it (when parsing masterlist). 2.) Depending on how full the server is, the size of the answer packet is bigger. 3.) All Floods come with around 1 Mbits, they generate 15-20 Mbits upstream. 2.) Its all BF2 Servers! Battlefield? I didnt find any clear Info about that, the attacked servers are quake3 v. 1.16 (not urban terror) oki, what to do now? Snort is not an option, the Packet content is ok. The Number of Packets isnt. First, i started to collect those IPs manually from Pfsense-Ntop Packet HTML Output. Lateron i found a REST Api, built a DB backend which records 60Sec averages (which have bigger then 500 Packets/sec incoming) Overall P/sec Throughput is stored too. Last thing is a schedule, it saves new IPs every ***** to Firewall (and a separate table) Ah. Thats the list it collected the last 3 Days:
109.236.82.181 141.101.125.235 17.172.232.128 173.193.254.106 173.199.91.39 173.203.183.173 173.231.3.184 174.91.111.108 176.56.228.36 176.9.63.244 182.177.143.49 188.125.140.19 193.150.209.233 195.71.68.33 199.59.163.38 204.61.222.58 205.234.137.219 208.116.44.116 208.43.227.56 208.64.127.48 209.170.124.203 210.148.52.182 212.1.15.12 212.1.208.54 213.103.219.155 213.64.155.236 213.89.170.104 213.89.183.254 216.119.216.188 216.245.213.202 217.23.12.122 217.25.100.100 217.88.247.23 24.183.208.71 24.226.58.219 46.21.154.182 46.37.177.194 50.28.67.28 62.90.138.114 64.34.216.132 64.90.45.202 65.188.169.27 65.34.222.211 66.147.244.84 66.225.198.130 66.252.2.90 66.84.13.92 67.197.152.21 67.201.15.20 67.222.129.248 68.113.195.133 68.32.215.245 69.24.178.242 70.39.121.221 71.43.194.194 72.20.13.77 72.20.18.1 72.20.40.77 72.8.129.1 72.8.129.19 72.91.159.209 74.14.51.221 74.53.201.162 74.63.209.212 74.89.29.33 75.46.67.92 76.125.151.240 76.172.7.77 78.46.74.18 80.217.190.214 80.246.145.185 81.169.179.102 81.226.233.112 82.170.111.113 85.214.53.51 85.227.233.141 85.230.217.129 85.230.220.96 85.30.48.7 86.145.35.242 89.163.170.18 89.165.10.202 89.27.32.59 89.69.103.2 89.77.81.150 91.121.176.210 91.218.36.6 91.229.248.13 93.114.44.164 94.52.44.211 95.208.188.212 95.211.109.94 97.81.128.139 98.126.245.107 Now is peace. |
Author: | Unclefragger [ 11.30.11 ] |
Post subject: | Re: Another Banning mechanism |
so bf2 script kiddies kill q3 servers? 8o anyways good job! |
Author: | wurst [ 11.30.11 ] |
Post subject: | Re: Another Banning mechanism |
hm seems they are beeing abused by other skeletor hax kidz heres btw what i meant with this nerdish description... |
Author: | natirips [ 11.30.11 ] |
Post subject: | Re: Another Banning mechanism |
Honestly, I found the first post much easier to understand than the third one. |
Author: | wurst [ 11.30.11 ] |
Post subject: | Re: Another Banning mechanism |
thanks... |
Author: | BEH [ 11.30.11 ] |
Post subject: | Re: Another Banning mechanism |
lol, of course. The 3rd post he made for the 'user' type person, like me - we like to look at pictures. It almost makes sense to me now. Anyways cool that it is peacetime again. congratz |
Author: | wurst [ 12.01.11 ] |
Post subject: | Re: Another Banning mechanism |
he, apparat collected new addresses... Code: "ip";"timestamp"
"195.22.18.149";"2011-12-01 01:37:01" "184.154.131.170";"2011-12-01 04:04:01" "98.87.83.52";"2011-12-01 04:10:01" "216.185.96.243";"2011-12-01 04:29:01" "95.160.65.184";"2011-12-01 04:46:01" "209.247.83.121";"2011-12-01 05:16:01" "216.252.52.100";"2011-12-01 05:20:01" "90.230.138.205";"2011-12-01 05:50:01" "83.226.50.48";"2011-12-01 06:10:01" "74.68.120.57";"2011-12-01 06:18:01" "83.183.37.82";"2011-12-01 06:36:01" "109.163.229.22";"2011-12-01 06:59:01" "91.211.117.14";"2011-12-01 07:20:01" "85.17.232.163";"2011-12-01 09:45:01" "65.31.119.129";"2011-12-01 10:06:01" "220.233.205.158";"2011-12-01 10:31:01" "121.73.145.94";"2011-12-01 10:53:01" "81.103.60.227";"2011-12-01 11:35:01" "124.180.74.144";"2011-12-01 11:54:01" |
Author: | Crusher [ 12.01.11 ] |
Post subject: | Re: Another Banning mechanism |
So the flood continues... just use the BFG9000 to kill them all. |
Author: | XTJ7 [ 12.01.11 ] |
Post subject: | Re: Another Banning mechanism |
Glad you found a sexy solution for that |
Author: | wurst [ 12.01.11 ] |
Post subject: | Re: Another Banning mechanism |
ah i found the solution to kill existing states in pfsense remotely: from ./diag_dump_states.php Code: /* handle AJAX operations */ if($_GET['action']) { if($_GET['action'] == "remove") { $srcip = $_GET['srcip']; $dstip = $_GET['dstip']; if (is_ipaddr($srcip) and is_ipaddr($dstip)) { $retval = mwexec("/sbin/pfctl -k '{$srcip}' -k '{$dstip}'"); echo htmlentities("|{$srcip}|{$dstip}|{$retval}|"); } else { echo "invalid input"; } exit; } } So im sending this via teh php Code: file_get_contents("http://user:******@192.168.x.y/easyrule-getstatusflood.php?action=block&int=wan&src=".$row['ip']);
file_get_contents("http://user:******@192.168.x.y/diag_dump_states.php?action=remove&srcip=".$row['ip']."&dstip=192.168.x.z"); file_get_contents("http://user:******@192.168.x.y/diag_dump_states.php?action=remove&srcip=192.168.x.z&dstip=".$row['ip']); |
Page 1 of 3 | All times are UTC + 1 hour |
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |